topic I changed the DVR IP and in Network Security

PIX 515E routing external to internal

mppflanigan — Tue, 12 Mar 2019 04:05:51 GMT

I am trying to access my camera DVR from outside my network. I have set static and access-list rules and cannot connect. Can I get some assistance? PIX version 6.3(5)

Can you post relevant

mvsheik123 — Thu, 17 Apr 2014 20:45:22 GMT

Can you post relevant configurations?

Thx

Below is the current config

mppflanigan — Fri, 18 Apr 2014 12:10:15 GMT

Below is the current config from before I made changes. I would like to access an internal IP on ports 8200, 8016, 10019 and 8116. I created a static entry; static (inside,outside) tcp xxx.xxx.xxx.xxx 192.168.1.23 8200 netmask 255.255.255.255 but I cannot enter the other ports on the same IP it tells me that it is a duplicate entry. I then created an access rule; access-list outside-inbound permit tcp any host xxx.xxx.xxx.xxx eq 8200.

I would like you to know that I am new at this location and this system has been untouched for roughly 9 years. I have a side question for setting an IP as static from this PIX also.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security90
nameif ethernet3 dmz2 security80
nameif ethernet4 dmz3 security70
nameif ethernet5 dmz4 security60
enable password encrypted
passwd encrypted
hostname xxxx-PIX
domain-name xxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.5.41.209 NTP2.USNO.NAVY.MIL
name 192.168.3.254 AIRONET
name xxx.xxx.xxx.xxx SITE1
name xxx.xxx.xxx.xxx SITE2
access-list mgmt-vpn-client permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list mgmt-vpn-client permit ip host AIRONET 172.16.1.0 255.255.255.0
access-list inside_in permit tcp 192.168.1.0 255.255.255.0 host AIRONET eq ssh
access-list inside_in permit tcp 192.168.1.0 255.255.255.0 host AIRONET eq 8080
access-list inside_in deny ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_in permit ip any any
access-list dmz2_in deny ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz2_in permit ip any any
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list no-nat permit ip host AIRONET 172.16.1.0 255.255.255.0
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip address dmz1 192.168.2.1 255.255.255.0
ip address dmz2 192.168.3.1 255.255.255.0
ip address dmz3 192.168.4.1 255.255.255.0
ip address dmz4 192.168.5.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip verify reverse-path interface dmz2
ip verify reverse-path interface dmz3
ip verify reverse-path interface dmz4
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip local pool VPN-CLIENTS 172.16.1.1-172.16.1.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
no failover ip address dmz3
no failover ip address dmz4
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz2) 0 access-list no-nat
nat (dmz2) 1 192.168.3.0 255.255.255.0 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group dmz2_in in interface dmz2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:05:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:05:00
timeout sip-disconnect 0:05:00 sip-invite 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.1.5 53cuR3dNetW0rk5 timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
ntp server NTP2.USNO.NAVY.MIL source outside prefer
snmp-server location
snmp-server contact
snmp-server community
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map VPN-CLIENT-MAP 10 set pfs group2
crypto dynamic-map VPN-CLIENT-MAP 10 set transform-set ESP-AES-SHA
crypto map OUTSIDE-MAP 100 ipsec-isakmp dynamic VPN-CLIENT-MAP
crypto map OUTSIDE-MAP client authentication LOCAL
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup MGMT address-pool VPN-CLIENTS
vpngroup MGMT dns-server 192.168.1.5
vpngroup MGMT wins-server 192.168.1.5
vpngroup MGMT default-domain xxxxx.com
vpngroup MGMT split-tunnel mgmt-vpn-client
vpngroup MGMT pfs
vpngroup MGMT idle-time 86400
vpngroup MGMT password ********
telnet timeout 2
ssh SITE1 255.255.255.255 outside
ssh SITE2 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
management-access inside
console timeout 2
dhcpd address 192.168.1.10-192.168.1.99 inside
dhcpd address 192.168.3.101-192.168.3.199 dmz2
dhcpd dns 24.25.5.60 24.25.5.61
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
dhcpd enable dmz2
username admin encrypted privilege 15
username site encrypted privilege 15
terminal width 80
banner exec * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
banner exec * *
banner exec * [WARNING] XXXX-PIX *
: end
XXXX-PIX#

Can anyone offer assistance

mppflanigan — Thu, 24 Apr 2014 14:01:24 GMT

Can anyone offer assistance

You should be able to add

Jon Marshall — Thu, 24 Apr 2014 18:32:22 GMT

You should be able to add multiple static statements using the same IP as long as you specify the ports ie.

static (inside,outside) tcp x.x.x.x <port num> 192.168.1.23 <port num>

what is x.x.x.x ? No need to post the actual IP but is it the IP assigned to the outside interface or another one.

If it is another one is that IP part of a range being routed to your firewall ?

Jon

I have added the following

mppflanigan — Fri, 25 Apr 2014 12:51:32 GMT

I have added the following with no luck.

static (inside,outside) tcp xxx.xxx.xxx.xxx 8200 192.168.1.13 8200 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 8200 192.168.1.13 8200 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8016 192.168.1.13 8016 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 8016 192.168.1.13 8016 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8116 192.168.1.13 8116 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 8116 192.168.1.13 8116 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 10019 192.168.1.13 10019 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 10019 192.168.1.13 10019 netmask 255.255.255.255

access-list dvr_in permit tcp xxx.xxx.xxx.xxx outside eq 8200
access-list dvr_in permit tcp xxx.xxx.xxx.xxx outside eq 8016
access-list dvr_in permit tcp xxx.xxx.xxx.xxx outside eq 8116
access-list dvr_in permit tcp xxx.xxx.xxx.xxx outside eq 10019
access-list dvr_in permit udp xxx.xxx.xxx.xxx outside eq 8200
access-list dvr_in permit udp xxx.xxx.xxx.xxx outside eq 8016
access-list dvr_in permit udp xxx.xxx.xxx.xxx outside eq 8116
access-list dvr_in permit udp xxx.xxx.xxx.xxx outside eq 10019
access-group dvr_in in xxx.xxx.xxx.xxx outside

I think there may be a rule preventing the above from working.

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 (the IP is the outside interface static IP and that is the only route rule)

Your acl looks wrong although

Jon Marshall — Fri, 25 Apr 2014 13:44:22 GMT

Your acl looks wrong although it's difficult to say because all the IPs are hidden

In your static statements what public IP have you used ? No need to post the actual IP but is it the outside interface IP or is it a different IP ?

Who should have access to the camera DVR from outside ie. are they specific IPs or could it be any IP ?

Can you answer both of the above please.

Jon

The xxx IP is only my outside

mppflanigan — Fri, 25 Apr 2014 14:12:28 GMT

The xxx IP is only my outside static public IP. The DVR is static 192.168.1.13.

Thanks for the help

So just to clarify -the xxx

Jon Marshall — Fri, 25 Apr 2014 14:15:49 GMT

So just to clarify -

the xxx IP is the IP assigned to the outside interface ?

Can you also answer the second question i asked ie. which IPs should have access to it from the internet ?

Jon

Yes the xxx IP is the IP

mppflanigan — Fri, 25 Apr 2014 14:33:31 GMT

Yes the xxx IP is the IP assigned to the outside interface.

Second question; I need various IPs to access it so management can access the DVR from home/phones etc...

Thanks

Your acl should look like

Jon Marshall — Fri, 25 Apr 2014 14:38:01 GMT

Your acl should look like -

access-list dvr_in permit tcp host <source IP> host <outside interface IP> eq <port num>

and you would need a line for each source IP and port combination.

then to apply it -

access-group dvr_in in interface outside

is this what you have done ?

Jon

I have used what is above and

mppflanigan — Fri, 25 Apr 2014 15:14:04 GMT

I have used what is above and also other variations including;

access-list dvr permit tcp any xxx.xxx.xxx.xxx outside eq 8200
access-list dvr permit tcp any xxx.xxx.xxx.xxx outside eq 8016
access-list dvr permit tcp any xxx.xxx.xxx.xxx outside eq 8116
access-list dvr permit tcp any xxx.xxx.xxx.xxx outside eq 10019

access-group dvr in interface outside

I am going to redo the entries in soon and let you know the results.

Thanks again.

I changed the DVR IP and

mppflanigan — Fri, 25 Apr 2014 18:35:04 GMT

ETA; it is working.

I changed the DVR IP and added: (xxx.xxx.xxx.xxx) is the outside interface IP.

static (inside,outside) tcp xxx.xxx.xxx.xxx 8200 192.168.1.52 8200 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 8200 192.168.1.52 8200 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8016 192.168.1.52 8016 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 8016 192.168.1.52 8016 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 8116 192.168.1.52 8116 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 8116 192.168.1.52 8116 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.xxx 10019 192.168.1.52 10019 netmask 255.255.255.255
static (inside,outside) udp xxx.xxx.xxx.xxx 10019 192.168.1.52 10019 netmask 255.255.255.255
access-list dvr_in permit tcp any host xxx.xxx.xxx.xxx eq 8200
access-list dvr_in permit tcp any host xxx.xxx.xxx.xxx eq 8016
access-list dvr_in permit tcp any host xxx.xxx.xxx.xxx eq 8116
access-list dvr_in permit tcp any host xxx.xxx.xxx.xxx eq 1019
access-group dvr_in in interface outside

I was sure I added it correctly before. Maybe not. (I know thw private IP changed)

Thanks for the assistance, much appreciated